From cfdc620a3f1a924158369b959ed9061f6aa4bb70 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 4 Aug 2014 10:38:08 +0200 Subject: unity: Do not bump TS to 0.0.0.0/0 as initiator when no Split-Include received When having the unity plugin enabled and both peers send the Unity Vendor ID, we proposed 0.0.0.0/0 as traffic selector, even if no Split-Include has been received on the SA. This can break compatibility with some responders, as they don't narrow the TS themselves, but expect the configured TS. --- src/libcharon/plugins/unity/unity_narrow.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'src/libcharon/plugins/unity/unity_narrow.c') diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c index 70a96990a..52a2c7f24 100644 --- a/src/libcharon/plugins/unity/unity_narrow.c +++ b/src/libcharon/plugins/unity/unity_narrow.c @@ -139,6 +139,23 @@ static void narrow_responder_post(child_cfg_t *child_cfg, linked_list_t *local) configured->destroy(configured); } +/** + * Check if any Split-Include attributes are active on this IKE_SA + */ +static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + bool has; + + enumerator = this->handler->create_include_enumerator(this->handler, + ike_sa->get_unique_id(ike_sa)); + has = enumerator->enumerate(enumerator, &ts); + enumerator->destroy(enumerator); + + return has; +} + METHOD(listener_t, narrow, bool, private_unity_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, narrow_hook_t type, linked_list_t *local, linked_list_t *remote) @@ -154,7 +171,10 @@ METHOD(listener_t, narrow, bool, { case NARROW_INITIATOR_PRE_AUTH: case NARROW_RESPONDER: - narrow_pre(remote, "other"); + if (has_split_includes(this, ike_sa)) + { + narrow_pre(remote, "other"); + } break; case NARROW_INITIATOR_POST_AUTH: case NARROW_RESPONDER_POST: -- cgit v1.2.3